Accepting request 668140 from home:jsmeix:branches:Printing

Ghostscript security fix upgrade (purely a security fix) to fix CVE-2019-6116 bsc#1122319

OBS-URL: https://build.opensuse.org/request/show/668140
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=102

ghostscript-9.26.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:831fc019bd477f7cc2d481dc5395ebfa4a593a95eb2fe1eb231a97e450d7540d
-size 42084660

ghostscript-9.26a.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79482d5b8350a542ed830ce724b7317f878bcddbdbc163471e2a74848462eb3b
+size 42087219

ghostscript-mini.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
+
+- Version upgrade to 9.26a
+  The version 9.26a is a special security bugfix version to fix
+  * CVE-2019-6116: subroutines within pseudo-operators
+    must themselves be pseudo-operators
+    https://bugs.ghostscript.com/show_bug.cgi?id=700317
+    https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319
+
+-------------------------------------------------------------------
+Thu Jan 10 17:09:16 UTC 2019 - jweberhofer@weberhofer.at
+
+- ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
+  fixes Ghostscript issue #700315 and bsc#1121490
+  https://bugs.ghostscript.com/show_bug.cgi?id=700315
+  Segfault in GS 9.26 with certain PDFs with -dLastPage=1
+
 -------------------------------------------------------------------
 Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
 

ghostscript-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript-mini
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,9 +38,13 @@ Url:            http://www.ghostscript.com/
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.25pre26rc1
-# Normal version for Ghostscript releases is the upstream version:
+# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball
-Version:        9.26
+# where upstream provides a complete and consistent state of the whole Ghostscript code
+# that includes in particular the complete patchset that is really non-trivial
+# to fix the Ghostscript upstream bug 700317 CVE-2019-6116:
+Version:        9.26a
 Release:        0
+# Normal version for Ghostscript releases is the upstream version:
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
 # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
@@ -49,8 +53,8 @@ Release:        0
 # built_version is used below in the install and files sections:
 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
 # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
-%define built_version %{version}
+#define built_version %{version}
-#define built_version 9.26
+%define built_version 9.26
 # Source0...Source9 is for sources from upstream:
 # Special URLs for Ghostscript release candidates:
 # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@@ -68,6 +72,7 @@ Release:        0
 # MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz
 Source0:        ghostscript-%{version}.tar.gz
 # Patch0...Patch9 is for patches from upstream:
+Patch0:         ghostscript-2.26-subclassing-devices-fix-put_image-method.patch
 # Source10...Source99 is for sources from SUSE which are intended for upstream:
 # Patch10...Patch99 is for patches from SUSE which are intended for upstream:
 # Source100...Source999 is for sources from SUSE which are not intended for upstream:
@@ -133,6 +138,7 @@ This package contains the development files for Minimal Ghostscript.
 # Be quiet when unpacking and
 # use a directory name matching Source0 to make it work also for ghostscript-mini:
 %setup -q -n ghostscript-%{tarball_version}
+%patch0 -p1
 # Patch100 remove-zlib-h-dependency.patch removes dependency on zlib/zlib.h
 # in makefiles as we do not use the zlib sources from the Ghostscript upstream tarball.
 # Again use the zlib sources from Ghostscript upstream

ghostscript.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Jan 23 16:52:00 CET 2019 - jsmeix@suse.de
+
+- Version upgrade to 9.26a
+  The version 9.26a is a special security bugfix version to fix
+  * CVE-2019-6116: subroutines within pseudo-operators
+    must themselves be pseudo-operators
+    https://bugs.ghostscript.com/show_bug.cgi?id=700317
+    https://bugzilla.suse.com/show_bug.cgi?id=1122319 bsc#1122319
+
 -------------------------------------------------------------------
 Thu Jan 10 17:09:16 UTC 2019 - jweberhofer@weberhofer.at
 

ghostscript.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ghostscript
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -58,9 +58,13 @@ Url:            http://www.ghostscript.com/
 # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers
 # so that we keep additionally the previous version number to upgrade from the previous version:
 #Version:        9.25pre26rc1
-# Normal version for Ghostscript releases is the upstream version:
+# The upstream version 9.26a is a special Ghostscript upstream security bugfix tar ball
-Version:        9.26
+# where upstream provides a complete and consistent state of the whole Ghostscript code
+# that includes in particular the complete patchset that is really non-trivial
+# to fix the Ghostscript upstream bug 700317 CVE-2019-6116:
+Version:        9.26a
 Release:        0
+# Normal version for Ghostscript releases is the upstream version:
 # tarball_version is used below to specify the directory via "setup -n":
 # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1".
 # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version):
@@ -69,8 +73,8 @@ Release:        0
 # built_version is used below in the install and files sections:
 # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15".
 # For Ghostscript releases built_version and version are the same (i.e. the upstream version):
-%define built_version %{version}
+#define built_version %{version}
-#define built_version 9.26
+%define built_version 9.26
 # Source0...Source9 is for sources from upstream:
 # Special URLs for Ghostscript release candidates:
 # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases
@@ -212,6 +216,7 @@ For information how to use Ghostscript see
 
 %package x11
 Summary:        X11 library for Ghostscript
+Group:          Productivity/Publishing/PS
 # Require the exact matching version-release of the ghostscript main-package because
 # a non-matching ghostscript main-package may let it fail or even crash (e.g. segfault)
 # because all Ghostscript software is built from one same Ghostscript source tar ball
@@ -219,7 +224,6 @@ Summary:        X11 library for Ghostscript
 # The exact matching version-release of the ghostscript main-package is available
 # on the same package repository where the ghostscript-x11 sub-package is because
 # all are built simulaneously from the same Ghostscript source package:
-Group:          Productivity/Publishing/PS
 Requires:       ghostscript = %{version}-%{release}
 # Unfortunately ghostscript-library.spec and ghostscript-mini.spec have
 # an unversioned "Provides: ghostscript" and for RPM this means that both